Meltdown and Spectre: the CPU kernel bugs
What are Meltdown and Spectre?
Meltdown and Spectre are recently found serious security flaws in modern processors, that could let attackers steal sensitive data, including passwords and banking information. The flaw was found in processors designed by Intel, AMD and ARM. It was discovered by security researches at Google’s ‘Project Zero‘, a team that discovers vulnerabilities in software.
The Discovery
Even though the news came out on 2nd January 2018, the team of Project Zero had discovered the flaw in mid 2017 itself. Google had informed the affected companies about the Spectre flaw on 1st June 2017. Later reported the Meltdown flaw before 28th July 2017. Google had planned to release the details of the flaw in early 2018, but the news broke out early and they were forced to release the details. When the public got to know about the issue, Windows , Linux and Apple were ready with the patches (updates) to reduce the consequences of the flaw. They said these updates may result in reducing the performance of the processors as well.
Inside the Processor
To understand what the flaw actually is and how it works inside the processor, you need know some processor techniques such as pipelining, out-of-order execution, branch prediction, and speculative execution.
Pipelining
To increase the throughput and performance of the processor, multiple instructions that are in different stages are loaded into the processor and processed with continuous and somewhat overlapped movement. This keeps the processor busy most of the time, speeding things up considerably.
Out of order execution
There is a limit to speeding the processor using pipelining. Some instructions depend on others. For example, if one instruction writes to a memory address, and then another one reads from it, the second instruction cannot begin executing until the first has finished. This can cause a pipeline stall. Accessing data from RAM is costly. If the data is not in the cache then it may be several hundred clock cycles before the first instruction has completed. To minimize the time spent waiting for such delays, modern CPUs can recognize which instructions do not have such dependencies, and execute those first.
Two things reliably stall a pipeline: branches and tests. This realization leads to two major design features of contemporary processors, branch prediction and speculative execution. These are at the heart of the new class of security vulnerability.
Branch prediction
During a branch prediction, the processor tries to guess which way a branch will go before it is known definitively. This helps a lot in improving the performance of a pipelined processor. The details of how it works are often vague. Although common techniques include keeping a statistical track of how a branch has proceeded in the past.
Speculative execution
Speculative execution is a technique where the processor assumes values, data or results what it might be and continues the processing. At the end if the assumption was wrong, the processor restores its state to the checkpoint and carries on.
Where it goes wrong?
Where all these fails is when assuming that the processor can recover from a failed guess and restore itself to exactly the condition it was in before. However when a speculative instruction reads from memory, it goes to the cache first and the cache’s condition can materially change or materially affect later processing in ways that persist.
Side-channel attack
Side-channel attack can be defined as extracting data independently of the processor’s explicit data-handling paths. Modern processors have a hierarchy of caches, level 1 cache, level 2 cache and level 3 cache. The processor look for availability of data along these levels and finally in main memory. Even if the attacker do not have access to the data storage, he can tell whether a victim process has accessed a certain block of memory by timing how long it takes to complete, or by clearing the cache before the victim executes, and then seeing whether the memory address is back in the cache afterwards. The victim is accessing locations depending on what the private key is, so by figuring out which locations the victim is accessing, the attacker can work backwards and get the private key.
How a Spectre attack works?
In a Spectre attack the attacker trains the branch predictor with a valid input and make it run successfully. Then the attacker clears the cache and submits an incorrect value aimed at the contents of memory he is not normally allowed to see. Because the attacker has cleared the cache the processor has to wait for hundreds of cycles for the data to come in from main memory. And this is long enough for the attacker to run quite a lot of code. However the branch predictor will assume a value, complete the process and store the result in the memory. Then only it realizes that the guess was wrong and restores its state. But it’s too late now. The attacker knows where to look for the data.
How a Meltdown attack works?
A processor has two different modes: user mode and kernel mode. It switches between the two modes depending on what type of code is running on the processor. In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. During a Meltdown attack the attacker sets up speculative execution in a user process that accesses protected memory. The processor passes control to the kernel to handle while speculative execution is still going on. In the time it takes to handle the illegal access, the attacker can access protected contents.
How can you protect your data from attackers?
Moving kernel memory to a higher protection level within the processor and changing the processor’s internal state more significantly when a user program switches to the kernel makes it harder for attackers to perform a Meltdown attack. However these may result in performance deficits. Spectre relies on speculative execution and branch prediction. Abandoning these techniques will take performance of modern computers decades backwards. For now, just update your operating system to protect yourself from attackers.
